This is an important question and I'm sorry I just stumbled on it today. I hope this information helps you. Essentially what you're talking about is the structure behind an employee deskbook including identifying, monitoring and reporting risks. Through systematically understanding and recording the objectives of business activity (aligned with your Business Impact Analysis), the risks that could prevent these objectives from being reached, and the controls that will channel activities and energy into the right and relevant direction, a coherent structure for managing the internal control framework is established.
So, you take your BIA work and apply it to each job position as risk, and possibly performance, indicators (NOT to each employee). Some jobs may have multiple employees performing them and in that case I'd use the same assessment.
Does this answer your question?
_________________________
Eryn Tribble
(888) 297 - PLAN
Of course, there are some things you just can't ever see coming so always plan ahead!